Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Disable kernel modules under STIG #13079

Open
bmagistro opened this issue Feb 18, 2025 · 0 comments
Open

Disable kernel modules under STIG #13079

bmagistro opened this issue Feb 18, 2025 · 0 comments

Comments

@bmagistro
Copy link

bmagistro commented Feb 18, 2025
edited
Loading

Description of problem:

It is my understanding that having the blacklist entry for rules below is sufficient to meet the intent of the STIG. The checks are for the install line in the content here. I fully agree the stig and fix language is confusing as the check is for one thing but the fix shows something else.

The misalignment affects these profiles:

  • content_profile_stig

The misalignment affects these rules:

  • kernel_module_atm_disabled
  • kernel_module_can_disabled
  • kernel_module_firewire-core_disabled
  • kernel_module_sctp_disabled
  • kernel_module_tipc_disabled
  • kernel_module_bluetooth_disabled
  • kernel_module_usb-storage_disabled

Outcome:

TBD; Currently thinking checks updated to allow blacklisting of the module to satisfy the check

Version Info:

cat /etc/redhat-release 
AlmaLinux release 9.4 (Seafoam Ocelot)


oscap --version
OpenSCAP command line tool (oscap) 1.3.10
Copyright 2009--2023 Red Hat Inc., Durham, North Carolina.

==== Supported specifications ====
SCAP Version: 1.3
XCCDF Version: 1.2
OVAL Version: 5.11.1
CPE Version: 2.3
CVSS Version: 2.0
CVE Version: 2.0
Asset Identification Version: 1.1
Asset Reporting Format Version: 1.1
CVRF Version: 1.1

==== Capabilities added by auto-loaded plugins ====
No plugins have been auto-loaded...

==== Paths ====
Schema files: /usr/share/openscap/schemas
Default CPE files: /usr/share/openscap/cpe

==== Inbuilt CPE names ====
Red Hat Enterprise Linux - cpe:/o:redhat:enterprise_linux:-
Red Hat Enterprise Linux 5 - cpe:/o:redhat:enterprise_linux:5
Red Hat Enterprise Linux 6 - cpe:/o:redhat:enterprise_linux:6
Red Hat Enterprise Linux 7 - cpe:/o:redhat:enterprise_linux:7
Red Hat Enterprise Linux 8 - cpe:/o:redhat:enterprise_linux:8
Community Enterprise Operating System 5 - cpe:/o:centos:centos:5
Community Enterprise Operating System 6 - cpe:/o:centos:centos:6
Community Enterprise Operating System 7 - cpe:/o:centos:centos:7
Community Enterprise Operating System 8 - cpe:/o:centos:centos:8
AlmaLinux 8 - cpe:/o:almalinux:almalinux:8
AlmaLinux 9 - cpe:/o:almalinux:almalinux:9
Fedora 32 - cpe:/o:fedoraproject:fedora:32
Fedora 33 - cpe:/o:fedoraproject:fedora:33
Fedora 34 - cpe:/o:fedoraproject:fedora:34
Fedora 35 - cpe:/o:fedoraproject:fedora:35

==== Supported OVAL objects and associated OpenSCAP probes ====
OVAL family   OVAL object                  OpenSCAP probe              
----------    ----------                   ----------                  
independent   environmentvariable          probe_environmentvariable
independent   environmentvariable58        probe_environmentvariable58
independent   family                       probe_family
independent   filehash58                   probe_filehash58 (SHA-224, SHA-256, SHA-384, SHA-512)
independent   system_info                  probe_system_info
independent   textfilecontent              probe_textfilecontent
independent   textfilecontent54            probe_textfilecontent54
independent   variable                     probe_variable
independent   xmlfilecontent               probe_xmlfilecontent
independent   yamlfilecontent              probe_yamlfilecontent
linux         iflisteners                  probe_iflisteners
linux         inetlisteningservers         probe_inetlisteningservers
linux         partition                    probe_partition
linux         rpminfo                      probe_rpminfo
linux         rpmverify                    probe_rpmverify
linux         rpmverifyfile                probe_rpmverifyfile
linux         rpmverifypackage             probe_rpmverifypackage
linux         selinuxboolean               probe_selinuxboolean
linux         selinuxsecuritycontext       probe_selinuxsecuritycontext
linux         systemdunitdependency        probe_systemdunitdependency
linux         systemdunitproperty          probe_systemdunitproperty
linux         fwupdsecattr                 probe_fwupdsecattr
unix          dnscache                     probe_dnscache
unix          file                         probe_file
unix          fileextendedattribute        probe_fileextendedattribute
unix          interface                    probe_interface
unix          password                     probe_password
unix          process                      probe_process
unix          process58                    probe_process58
unix          routingtable                 probe_routingtable
unix          runlevel                     probe_runlevel
unix          shadow                       probe_shadow
unix          symlink                      probe_symlink
unix          sysctl                       probe_sysctl
unix          uname                        probe_uname
unix          xinetd                       probe_xinetd


dnf info scap-security-guide
Last metadata expiration check: 3:38:56 ago on Tue Feb 18 09:36:24 2025.
Installed Packages
Name         : scap-security-guide
Version      : 0.1.74
Release      : 1.el9_4.alma.1
Architecture : noarch
Size         : 38 M
Source       : scap-security-guide-0.1.74-1.el9_4.alma.1.src.rpm
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bmagistro